Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 00:49
Static task
static1
Behavioral task
behavioral1
Sample
724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe
Resource
win10v2004-20241007-en
General
-
Target
724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe
-
Size
7.1MB
-
MD5
619afea6aff8b04b05222527b1da2bba
-
SHA1
6e3aa7b9f24bff7b624e5ecc8aaf1615d05d05e5
-
SHA256
724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c
-
SHA512
059e7c4014e71154808a000a014b93ab19b54070237121ede794ca773266e01bd0dd969ec9d1ddb9fee11515298c03e952367c6e2a4e73ef568a436ff6ac993e
-
SSDEEP
196608:qZQzJnlM+Tq+KX+TiRxcide1DR4mfbPmf0O:qZQz7fKs1DKwm
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey family
-
Detect Poverty Stealer Payload 1 IoCs
resource yara_rule behavioral1/files/0x0008000000023bdc-113.dat family_povertystealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4u579h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4u579h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ed24aa3d48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ed24aa3d48.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4u579h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4u579h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4u579h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4u579h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ed24aa3d48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ed24aa3d48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ed24aa3d48.exe -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Povertystealer family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 4656 created 3320 4656 xl.exe 55 PID 5164 created 2488 5164 AddInProcess32.exe 45 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1W48q7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 82d6528556.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 016d402cda.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2m7996.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3o57y.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4u579h.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6328d60ca4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ed24aa3d48.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 6644 chrome.exe 2704 chrome.exe 888 chrome.exe 4824 chrome.exe -
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1W48q7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2m7996.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3o57y.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3o57y.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4u579h.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6328d60ca4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ed24aa3d48.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1W48q7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 82d6528556.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 82d6528556.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 016d402cda.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ed24aa3d48.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 016d402cda.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4u579h.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2m7996.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6328d60ca4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 016d402cda.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 1W48q7.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 21 IoCs
pid Process 2116 a2k57.exe 2020 a8p71.exe 1452 1W48q7.exe 3244 skotes.exe 4928 2m7996.exe 1532 3o57y.exe 3816 x4lburt.exe 2824 computerlead.exe 2224 4u579h.exe 4656 xl.exe 4532 1Shasou.exe 2696 6328d60ca4.exe 3448 xl.exe 5092 82d6528556.exe 2472 c2fc27a15b.exe 2684 ed24aa3d48.exe 4284 016d402cda.exe 5340 skotes.exe 6232 service123.exe 5200 skotes.exe 5304 service123.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 4u579h.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 6328d60ca4.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 016d402cda.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 1W48q7.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 2m7996.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 3o57y.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 82d6528556.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine ed24aa3d48.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe -
Loads dropped DLL 2 IoCs
pid Process 6232 service123.exe 5304 service123.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4u579h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ed24aa3d48.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4u579h.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c2fc27a15b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009164001\\c2fc27a15b.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ed24aa3d48.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009165001\\ed24aa3d48.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" a2k57.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" a8p71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x4lburt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6328d60ca4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009162001\\6328d60ca4.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\82d6528556.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009163001\\82d6528556.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000023c12-1356.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 1452 1W48q7.exe 3244 skotes.exe 4928 2m7996.exe 1532 3o57y.exe 2224 4u579h.exe 2696 6328d60ca4.exe 5092 82d6528556.exe 2684 ed24aa3d48.exe 4284 016d402cda.exe 5340 skotes.exe 5200 skotes.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4656 set thread context of 3448 4656 xl.exe 101 PID 2824 set thread context of 5164 2824 computerlead.exe 128 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1W48q7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 6516 5164 WerFault.exe 128 212 4284 WerFault.exe 127 -
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1W48q7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4u579h.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1Shasou.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed24aa3d48.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2k57.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 016d402cda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language computerlead.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6328d60ca4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2m7996.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3o57y.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82d6528556.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2fc27a15b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8p71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 016d402cda.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 016d402cda.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 4444 taskkill.exe 4676 taskkill.exe 4880 taskkill.exe 1332 taskkill.exe 3344 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5132 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 1452 1W48q7.exe 1452 1W48q7.exe 3244 skotes.exe 3244 skotes.exe 4928 2m7996.exe 4928 2m7996.exe 1532 3o57y.exe 1532 3o57y.exe 2824 computerlead.exe 2824 computerlead.exe 2224 4u579h.exe 2224 4u579h.exe 2824 computerlead.exe 2224 4u579h.exe 2224 4u579h.exe 2696 6328d60ca4.exe 2696 6328d60ca4.exe 4656 xl.exe 5092 82d6528556.exe 5092 82d6528556.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2684 ed24aa3d48.exe 2684 ed24aa3d48.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2684 ed24aa3d48.exe 2684 ed24aa3d48.exe 2684 ed24aa3d48.exe 4284 016d402cda.exe 4284 016d402cda.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 3448 xl.exe 5340 skotes.exe 5340 skotes.exe 5164 AddInProcess32.exe 5164 AddInProcess32.exe 5164 AddInProcess32.exe 5164 AddInProcess32.exe 4424 fontdrvhost.exe 4424 fontdrvhost.exe 4424 fontdrvhost.exe 4424 fontdrvhost.exe 6644 chrome.exe 6644 chrome.exe 5200 skotes.exe 5200 skotes.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2824 computerlead.exe Token: SeDebugPrivilege 2224 4u579h.exe Token: SeDebugPrivilege 4656 xl.exe Token: SeDebugPrivilege 4656 xl.exe Token: SeDebugPrivilege 4444 taskkill.exe Token: SeDebugPrivilege 4676 taskkill.exe Token: SeDebugPrivilege 4880 taskkill.exe Token: SeDebugPrivilege 1332 taskkill.exe Token: SeDebugPrivilege 3344 taskkill.exe Token: SeDebugPrivilege 2924 firefox.exe Token: SeDebugPrivilege 2924 firefox.exe Token: SeDebugPrivilege 2684 ed24aa3d48.exe Token: SeShutdownPrivilege 6644 chrome.exe Token: SeCreatePagefilePrivilege 6644 chrome.exe Token: SeShutdownPrivilege 6644 chrome.exe Token: SeCreatePagefilePrivilege 6644 chrome.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 1452 1W48q7.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe 6644 chrome.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2924 firefox.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe 2472 c2fc27a15b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2924 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 664 wrote to memory of 2116 664 724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe 82 PID 664 wrote to memory of 2116 664 724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe 82 PID 664 wrote to memory of 2116 664 724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe 82 PID 2116 wrote to memory of 2020 2116 a2k57.exe 83 PID 2116 wrote to memory of 2020 2116 a2k57.exe 83 PID 2116 wrote to memory of 2020 2116 a2k57.exe 83 PID 2020 wrote to memory of 1452 2020 a8p71.exe 84 PID 2020 wrote to memory of 1452 2020 a8p71.exe 84 PID 2020 wrote to memory of 1452 2020 a8p71.exe 84 PID 1452 wrote to memory of 3244 1452 1W48q7.exe 85 PID 1452 wrote to memory of 3244 1452 1W48q7.exe 85 PID 1452 wrote to memory of 3244 1452 1W48q7.exe 85 PID 2020 wrote to memory of 4928 2020 a8p71.exe 88 PID 2020 wrote to memory of 4928 2020 a8p71.exe 88 PID 2020 wrote to memory of 4928 2020 a8p71.exe 88 PID 2116 wrote to memory of 1532 2116 a2k57.exe 92 PID 2116 wrote to memory of 1532 2116 a2k57.exe 92 PID 2116 wrote to memory of 1532 2116 a2k57.exe 92 PID 3244 wrote to memory of 3816 3244 skotes.exe 93 PID 3244 wrote to memory of 3816 3244 skotes.exe 93 PID 3816 wrote to memory of 2824 3816 x4lburt.exe 94 PID 3816 wrote to memory of 2824 3816 x4lburt.exe 94 PID 3816 wrote to memory of 2824 3816 x4lburt.exe 94 PID 664 wrote to memory of 2224 664 724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe 95 PID 664 wrote to memory of 2224 664 724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe 95 PID 664 wrote to memory of 2224 664 724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe 95 PID 3244 wrote to memory of 4656 3244 skotes.exe 98 PID 3244 wrote to memory of 4656 3244 skotes.exe 98 PID 3244 wrote to memory of 4656 3244 skotes.exe 98 PID 3244 wrote to memory of 4532 3244 skotes.exe 99 PID 3244 wrote to memory of 4532 3244 skotes.exe 99 PID 3244 wrote to memory of 4532 3244 skotes.exe 99 PID 3244 wrote to memory of 2696 3244 skotes.exe 100 PID 3244 wrote to memory of 2696 3244 skotes.exe 100 PID 3244 wrote to memory of 2696 3244 skotes.exe 100 PID 4656 wrote to memory of 3448 4656 xl.exe 101 PID 4656 wrote to memory of 3448 4656 xl.exe 101 PID 4656 wrote to memory of 3448 4656 xl.exe 101 PID 4656 wrote to memory of 3448 4656 xl.exe 101 PID 4656 wrote to memory of 3448 4656 xl.exe 101 PID 4656 wrote to memory of 3448 4656 xl.exe 101 PID 3244 wrote to memory of 5092 3244 skotes.exe 102 PID 3244 wrote to memory of 5092 3244 skotes.exe 102 PID 3244 wrote to memory of 5092 3244 skotes.exe 102 PID 3244 wrote to memory of 2472 3244 skotes.exe 103 PID 3244 wrote to memory of 2472 3244 skotes.exe 103 PID 3244 wrote to memory of 2472 3244 skotes.exe 103 PID 2472 wrote to memory of 4444 2472 c2fc27a15b.exe 104 PID 2472 wrote to memory of 4444 2472 c2fc27a15b.exe 104 PID 2472 wrote to memory of 4444 2472 c2fc27a15b.exe 104 PID 2472 wrote to memory of 4676 2472 c2fc27a15b.exe 108 PID 2472 wrote to memory of 4676 2472 c2fc27a15b.exe 108 PID 2472 wrote to memory of 4676 2472 c2fc27a15b.exe 108 PID 2472 wrote to memory of 4880 2472 c2fc27a15b.exe 110 PID 2472 wrote to memory of 4880 2472 c2fc27a15b.exe 110 PID 2472 wrote to memory of 4880 2472 c2fc27a15b.exe 110 PID 2472 wrote to memory of 1332 2472 c2fc27a15b.exe 112 PID 2472 wrote to memory of 1332 2472 c2fc27a15b.exe 112 PID 2472 wrote to memory of 1332 2472 c2fc27a15b.exe 112 PID 2472 wrote to memory of 3344 2472 c2fc27a15b.exe 114 PID 2472 wrote to memory of 3344 2472 c2fc27a15b.exe 114 PID 2472 wrote to memory of 3344 2472 c2fc27a15b.exe 114 PID 2472 wrote to memory of 3052 2472 c2fc27a15b.exe 116 PID 2472 wrote to memory of 3052 2472 c2fc27a15b.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2488
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4424
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe"C:\Users\Admin\AppData\Local\Temp\724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a2k57.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a2k57.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8p71.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8p71.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1W48q7.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1W48q7.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\1009118001\x4lburt.exe"C:\Users\Admin\AppData\Local\Temp\1009118001\x4lburt.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\computerlead.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\computerlead.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"9⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5164 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 60010⤵
- Program crash
PID:6516
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
-
-
C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4532
-
-
C:\Users\Admin\AppData\Local\Temp\1009162001\6328d60ca4.exe"C:\Users\Admin\AppData\Local\Temp\1009162001\6328d60ca4.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\1009163001\82d6528556.exe"C:\Users\Admin\AppData\Local\Temp\1009163001\82d6528556.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\1009164001\c2fc27a15b.exe"C:\Users\Admin\AppData\Local\Temp\1009164001\c2fc27a15b.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking8⤵PID:3052
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking9⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2924 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2060 -parentBuildID 20240401114208 -prefsHandle 1984 -prefMapHandle 1796 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09f1b881-8bcd-4e02-a62f-f0aa43832170} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" gpu10⤵PID:3812
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2492 -parentBuildID 20240401114208 -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bb50271-20bf-4b48-af29-4c234cc524ec} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" socket10⤵PID:760
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3388 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3292 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14730343-168e-499a-b09e-4a65a60c13f4} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" tab10⤵PID:2700
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3084 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 2712 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba1cbe09-632c-438d-8ce5-44fb10f0f2af} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" tab10⤵PID:3872
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4676 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4776 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb5cc0a5-4eae-4f19-a318-db8c6fd8f79d} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" utility10⤵
- Checks processor information in registry
PID:6280
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 3 -isForBrowser -prefsHandle 4780 -prefMapHandle 5184 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10d31607-f61c-4fee-a995-807491f8b0db} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" tab10⤵PID:2116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 4 -isForBrowser -prefsHandle 5676 -prefMapHandle 5680 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d09a6de-779c-4d79-9fe0-623369c6148a} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" tab10⤵PID:2944
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5488 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1d56d63-9537-4061-ac01-4614af5e7637} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" tab10⤵PID:768
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009165001\ed24aa3d48.exe"C:\Users\Admin\AppData\Local\Temp\1009165001\ed24aa3d48.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\1009166001\016d402cda.exe"C:\Users\Admin\AppData\Local\Temp\1009166001\016d402cda.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4284 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"8⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6644 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff865c1cc40,0x7ff865c1cc4c,0x7ff865c1cc589⤵PID:6652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,14667369067283253560,15953354725080893289,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:29⤵PID:6904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,14667369067283253560,15953354725080893289,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2044 /prefetch:39⤵PID:6920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,14667369067283253560,15953354725080893289,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:89⤵PID:6992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3244,i,14667369067283253560,15953354725080893289,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:19⤵
- Uses browser remote debugging
PID:888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,14667369067283253560,15953354725080893289,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:19⤵
- Uses browser remote debugging
PID:2704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,14667369067283253560,15953354725080893289,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4644 /prefetch:19⤵
- Uses browser remote debugging
PID:4824
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6232
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5132
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 13848⤵
- Program crash
PID:212
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2m7996.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2m7996.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4928
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3o57y.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3o57y.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1532
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4u579h.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4u579h.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3448
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5164 -ip 51641⤵PID:6488
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4284 -ip 42841⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5200
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5304
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD5e149a5b59e31324bd846c470170335d4
SHA134da40b94c024dd39c41e1baeccdfcf6700aa587
SHA256fa20010af41c7feef35460271cc01cc9497353c9defba223221b77daa2695672
SHA5128d12390f18e7a324a2c3fdf2239ac36d15a0501a2211f59c2fa93b7c4a2692cd2579bc8ee84c3b88112739d857ffbbeec250191f8857a6fede81e1509eaa9555
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD5f8993314fd024e69ab0bf2b73ad89a3b
SHA15f158bbcf4b3ae0d3b1e73befbd40222d8cb414d
SHA25669883884c5c549a06e9200df494b25012d3dec711b8fbc7ae2d201e49b9b064c
SHA5127beaf505526673d15f95f15f20a9c25bfdd818fe69034daea63c9b78590dc712078c24ebd1f3bc631fb5f1584dfd511ec4557517c90cb25485972fdb03e7959a
-
Filesize
932KB
MD596a7b754ca8e8f35ae9e2b88b9f25658
SHA1ed24a27a726b87c1d5bf1da60527e5801603bb8e
SHA25621d262741b3661b4bf1569f744dc5b5e6119cfa4f0748b9c0fa240f75442cc50
SHA512facb2e44f5a506349710e9b2d29f6664357d057444a6bd994cf3901dee7bea471247b47496cc4480f1ad2fac4b1867117072ea7a0bfa83d55ced4e00dda96745
-
Filesize
228KB
MD50a089e934eb856c3e809d0fac53000c7
SHA1661f86072031587be18ada0b6606ee82bb52038f
SHA256f4e5ec593dcb18dca253d98f5133050e96f27f86c1e46b5882abf797fefe26b1
SHA512026152c47e9547d1f2c254bdb824f9b8ac113df6b3a98c61b1ac4adde0286dc8a06ade4a3bd73a149b4a9eaad0f86d702ab4b4042dbb7c17cc0af5a14e34cadc
-
Filesize
29KB
MD5d0038532ae6cec64be83bc19d0b8f695
SHA117a23380f80068d15ebc014cb2b1748bb45fb5c1
SHA256b412dd132cb21a0d4d7bb622c6fe49f9e6c5c934201815d570db774ac80194f5
SHA512af269471f7093445fb05bc6d6d185f9e48d0666674a3de50c4217757d3fdf39b067668bf2ca37eac91d5cb203c3ce3d4d634661e470d84d12c80c332344503ea
-
Filesize
901KB
MD5396550510e969006e52ea8931b9a79e0
SHA169a1977c9bc1caefbe14e37dab010b7044f71a23
SHA256da90d008b44097ea1201a68c6d6f4bb294eff9c62486ec0c67dde91d9d9c24ce
SHA51211e081f23121c6cb122c502dd9ef90fd00913ec2c21b077a84d0a3cb2239847096d4541a46b9277facd9ff1188af3cc178af0606427c63fad383c5c2ee7e8a62
-
Filesize
4.2MB
MD5e3f5abc2332ea769c91f7c6f2a5a664a
SHA12969a201926786c2e4d03f215077d2abec517dec
SHA2566bf3521dbb4d8610035627fd1ffba23169aaba4c7ed723522a1a73386edf5b69
SHA5126a2f821451483ad5781b761bd9f462fcbf6239c1d6260d2af02f128680588c56fb4b03ad199a01334ce50d4a351393a2dd69abd345fe949434c5733078949f2a
-
Filesize
2.6MB
MD522370d009f56cb4eaa0c65191c9ce569
SHA161709a4936735ee99136b7dc86de24480146d8b5
SHA2563c15b93399455363458932130652659f24d2415b1dc2ef02ace1f943cb83e78d
SHA512b35ac9f727ca14431375b29188029a3ffed85b076de97c3295d2303a9ab329fb0428da444276c2443698f770f2e9f8f85462dd11a36020826d52be7929f81734
-
Filesize
5.6MB
MD551ade2e68fc110a5633bd23abd4fff9d
SHA13bed1f8761d1bd7a7dd6e8bb17ddaa98ce8360fc
SHA25621dc862eec0429d07caceb06217f1674dd29d09ac1954cd56cb4bc12123c4797
SHA512648846ba77a8b1d98742bada29175d14d150e434ee5d4f03f5f8907eae60eb30a509a81ee2e02d88512f96176586612fa596cb55d65999439f8351744afcde85
-
Filesize
1.7MB
MD5ded0eb089d3679972dcf011246f04abc
SHA1222c4fdea41b569389fa64ff718b5f9944b5faea
SHA25691c13e6200f741745516347b90adc8b5dea0c43f0b0163f6035570142a5153f6
SHA512eaf8e2c036574a001d77472d96b5af088bd1e4777229d504870e3d0743285374c223a9de93b2cecc9927eb8af3c039ab5a8be888ee82e9d0a63990025f7274d9
-
Filesize
3.8MB
MD5f8d97b0a2906a878173a6b4d40defcdf
SHA10e7ca297cd875af6d8d15bdc7df1b84989851e9e
SHA256810fc057b8beda9e4d44c9c3f334c610f691306ea1c0598373d455da92179a5d
SHA512fa165f853c35411bf6940c53f8b5f63976b01b96ff41b99710f38f15e903ed5cf217b6c1e216f698b6f3fe40a7cb1a23bcd9f0b75c8b3f6f9b48372ab5ba38c0
-
Filesize
1.9MB
MD5f324cf036831114e3c8c681220ca0489
SHA144bf59a5f94477316d0e410fad8d2ea4b552a37d
SHA256fd15d97c8fc88aa354c097d5e94d69ac2389e0383baa7fb6fe32e56655b501ed
SHA51268c0138aa66b76ec360bd775cb6dd2a80aa7d8e09159061b2c957b5bff12641767ac38c92b293242b5219ab3ed0efa423f1305f0b39e8372838a39dbea5ba47c
-
Filesize
1.8MB
MD51ae6f683a54eda849fd92462d37f1937
SHA19c98888d6444414719478467a0bcb7467311268f
SHA2560419321447abb2012698b519a851f6ce4ad90dcedd457f8e7fe9c5b64af07fcc
SHA512a45a42171982b6e5dfb30e1e30aee8860bb63cbc744eb0e9c8ca3f795a47d27c1a43e86a42e3520318bc3ff47abaed603f1634d0cde7af90fa258ae57698bc04
-
Filesize
1.1MB
MD52354e800eefc681a7d60f3b6b28acfd9
SHA110b6a3d9d2283b5f98c9924fa1fca6da79edb720
SHA256d3c21f6c3892f0c444ffb4b06f962caddf68d2c3938bbd399a3056db255007e3
SHA5120395737b77891d8cf7761266c2b3d594deb8e742bd5f12f15f58b2c161c242356b953ebf8cd1f41924a917b2c1332bd2e05ef275efd2419a6134a60729195354
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize6KB
MD55c7a8c30b513fc9380d70c83dbc7ba1a
SHA1c9f8d9de79812dbbf67a5422a88fb363ee50f7da
SHA256b2e05021f5531d0ac8d4a0cef4d500a3352647c0924feb0cd8109de57507e058
SHA51217d38b1cd62ec1a5ed947a4fdf393a776e26e5bfb8fe80eb2a5e19fd86350b30d3463d7d86ddfbc1bfd184add60e8400baced5eaa53d3d661c80cff7fa9f2eaf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize7KB
MD548fa97fbad44f28b8e42ad7890cf5cfc
SHA17994a73dc23a9d8a53d9dc88565984863a74676c
SHA256b387fda075f11db9680507896e971803e4cbc35e7029d79ecb8e193166ac071c
SHA5120cf982963b9f76f63222ff6ba342725fc47ff38b057917fc7123dc7eb74ca974b4ffacaecb288a755248dbab5701390acd28a2dd748a09409304e451dea36a41
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize10KB
MD5baf408302b0c0d5ddf22d86eafce06f0
SHA155e7b36574fa3cc23c92d3af448ce81e8aa4b0bd
SHA25628c1521eaff8a36c874769827868b0af17b927f088f554285b98bb1398171569
SHA512feae1821103b4627545d8a6032d155dcacbd80013ac03dabbd2474afdcd45c840dfe62eaacac57a5da76696ebf68462b800e8c9b2e1fc92df7a6a09714d917d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD5a594c82f428e08630672671a9b8ccf0e
SHA1c8987700cda8d8eabf7c67c5ecbd90cc4dbf02da
SHA256dd308a66353c4c08c4f27c7ed753b3f952fe9f9c795ab83ae956d11b959f8726
SHA51251e1f9b1a0f03e1886d73dd73bec36f4b452965606d4fd58e3f77d5ba745d2cc963ca0cd97abbd5f19e218f8dbb0433686185ac197b45178708fd2d33b15a1d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize24KB
MD589bdf6f00a073a50b6c6ab77130f103a
SHA192ac9e7fe897178dbf13debf42932c5c4cbcfd18
SHA2560138525f00752dbe4943166c98060093488f80cd2c931e23069a2d060332116f
SHA512a5590e16c057825086233846c32810b1d4c03d04da9f56ec41d5fe2d18923033eb71b4d84e0a89a036eb9657ec859ece82184befd886c5d62514ebb0d2ec092d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize24KB
MD58a5cf0deb47875df0e8b2728f360b05b
SHA1bbfae3c3ac763a04de3bfc3fd53bfa5849eaab07
SHA256f8e0dbb9e633a04be2d11b64fbf3f31fa5948d713e0880fa1c97f64996431622
SHA51234f0ea75dad12cb51ff9f2edf6536002650b1953f6f69f9752895231c78b14e4c72b9ac810bd218dd1e8f6935ff9c1cb331fa7c0c83870dfcd75747e93c55328
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize24KB
MD567599ed34a77588ac4b7bcf7d44b2e19
SHA12365c8f7c9740e68bd3ba318b81a9c4fad1f4941
SHA2565bbc9cf4402489e9bd18a40c1e8164580eea184babae3fbb044c18b1814b6853
SHA512f3e59aa417bedf8a2d6623f3039ed9289c7e5903738d5cab0b330d9126264bb05baa15c47b04eb82f2e412c01813c1eb93bd60b0c34bc958acb84e794af19191
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize21KB
MD5cabb1c41c1fd4b2dcd8fa638b7c40346
SHA16569aaa233baadd20d5ed9839fc972cad71cf8f6
SHA2565ca47821c864181bb59bc58b25392b936b6236fffa152e5a213ba5a069b692ad
SHA51252bbdf76c30f60dedefc44cf0d302d87df6f25ea5b0b3b1c8409825d385b768d096464811fce7d3d55a21e6cdbc3a5d15bea6091ad69f16cb3519fcb4cb1eb1b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD50dcdf78096acff2732fdc0dc747f0e03
SHA104d9e35f4931cbc40ac65e17fc0f937b977bf0cc
SHA256b86545707adbd217fa1147551cca993b448660e555423721c0921504c93034dc
SHA5125e19e6148d808493f21527a6cef6227b4df49c4a642f17f7d0721b87779b08e9da4693335a825f007e8c6d4d3c4dbf79f61f5f8a95883cdce7da6c1f0636e00c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5b5757e4b29d40b46ffc00e3a81da1ce7
SHA1161ae3629042097e680f70f9f2ed4ed704dd782a
SHA256dcf013b8c4029c6a3c83c2789e5d29e3ab63eb8e68ea3818eee6111790aa6113
SHA512523afabcd5cb7ce0ef573c2548efa01e779de466727c950fb2e4b5d5eb3da153ce3ed5006045b44dfe9b98f4f77f968efd046ac8f9cfc247be7fd64e57c6a5db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD51a48643b230522021e4b0a6f15402db4
SHA198de61a7d7a4ce79eda4204102413cc1cedbfb0e
SHA25659314e941887e0b9ce5ebe92a743df169e442f2fb4a85fc366fae4e63455d5b5
SHA512aa9c7ca89e30c80883b7bebda638c006afffaac5d418fdefb8381998002e5d564abff0994935977a3ac1c91a5b14a446b4a33058de69f0907158c25d6906d983
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5ddfad727b6519f19a2863ef5bb2d1468
SHA1943268c3ca41892669e90058a0ebefc88a15b122
SHA2560cbfe43e344f733a2544798782cfff432ace324fbefb3d8303aefca732e1ce1f
SHA5127d9335fd7fefd2cb153a27746d73479ee96eb29e23d5fc1445b2eea422e8e6a1401f7c875a89c799354465083ea3a08cb747e4831fbcc3a76fede1d4843757c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\aabd1352-b822-466c-ba1c-91d0b982eea6
Filesize982B
MD530926101640d532751c537592088dc4c
SHA196b4d031b3563e3537bdae28c6da894479f62340
SHA25647579881a0a021c1182c450c6d8667961fed95e91dc32af2d6dfe03ca8104a0a
SHA51271822c39a6e6b897dbea38e9a96714ff906c76bc18f26e4e4a7980315c23da4d66b0005f621b357be46dcbf46289a7e738dbd52cf8a21203f4f9fd887163249e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\e087d566-b3f9-48a2-bab4-b51b8011faf3
Filesize659B
MD59aa6902bb8c7e1e51a1984db760dfbf9
SHA102545b3f915634470a07c7feb4686cac4b7f8f20
SHA2569f30a928cd8843ef81ed663a264a2b41cfc8f6a96701df93dbaf3e732b6901d6
SHA512873a9fde90046d1b47a80ce08620cf4321c9d9338c7540ce46c774ac7251dc2f903e03a1dbc7ad160da9f9062735e60466dcd82527d3c6c9780460519dad11ff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD57112a2689a87cb2b38571d0405d78263
SHA1a1a1bfc4a8625f8ec562bcd42d5aeb786fa73c13
SHA2565b4da75360bebb8ab210960961939f1b609f1a70b03142bfffbbc9c79322e76f
SHA512c25aaa63bc9c2e55aa770a26d89f3856c721f333cdeeae0137cc63ba485b703709391b0086e96558b8c8991916893977670efcaef822768c0c58cd89901bb75a
-
Filesize
15KB
MD513bb2c9d57afd9251cfe5a3b7c6d2089
SHA1274e95e7dfd33d28b0b1d2f10bd54dd22a25c6c5
SHA2565d444e6d0e689710be2e998195471dcd86d0a0f550f83cfa7918b9eeebc54674
SHA512f133aa5708a3dc751682d7a83dfaa880bea27af187b05c989a40c18b02d94d64ec9df5c25d7bdadd0162b0ce89d942dba6acf8d1a1fe1d1a58f6f7b793ac4b0a
-
Filesize
10KB
MD5b70d01c4b7b4b64b26f15687492a5bf0
SHA1b74f010d0e02d5b0ea15542a750a7d80f9e9b007
SHA256b7805dd4b26b5f5c79871218a302bc231ca2f45ee402f7447e0aa57e3d4318c4
SHA512db9aab016cc0f3ce0a09ed0360d7b2cff29a0982f1afad241cdace2c842b4b205ee36654c8c226e0e7ad9ef4bda178ecebfcaab16fc31f25513f18d19589bd12